The Australian government has published guidelines on the third-party use of data from its contentious My Health Record, with the Secondary Use of Data Governance Board charged with making many of the decisions on who and why data can be used, on a case-by-case basis.

My Health Record is Australia's electronic health records system, given the green light in August 2017 from the Council of Australian Governments Health Council (COAG) to begin automatically signing up Australians.

By 2018, all Australians will have a My Health Record, and by 2022, all healthcare providers will be able to contribute to and use health information stored in My Health Record on behalf of their patients. They will also be able to communicate with other healthcare providers on the clinical status of joint patients via the digital platform.

Australians will be able to opt out of a My Health Record if they choose, and they similarly can opt out of having their data available for secondary use.

Where a health record has been cancelled, the data also becomes unavailable for secondary use.

The board will comprise representatives from the Australian Institute of Health and Welfare (AIHW), which is the data custodian for the purposes of the framework; the Australian Digital Health Agency, which will act as the system operator; and representatives from population health/epidemiology, research, health services delivery, technology, data science, data governance and privacy, and consumer advocacy.

There are 18 steps an entity wishing to access the information contained within the My Health Record must follow, including gaining "ethics approval" from the AIHW Ethics Committee.

The board will oversee development and operation of all secondary use infrastructure, the framework explains.

For example, the board will use a "case and precedent" approach to determine what is "solely commercial use" of data.

The board will assess applications primarily based on the use of data, not the user, with the framework explaining the "safe people" principle will be applied when reviewing requests for data with respect to the applicant, probing their knowledge, skills, and incentives to store and use the data appropriately.

In order to be granted access to the data, overseas-based applicants must be working in "collaboration" with an Australian applicant in respect to the proposed project. They must also demonstrate that the proposed data usage will generate public health benefits for Australians

Direct access to or release of My Health Record data is only to the Australian entity, and data released for secondary use is to be stored in a facility within Australia.

The applicant must also be responsible for ensuring they comply with all relevant Australian legislation.

The framework restricts access to de-identified data, noting it cannot be used solely for commercial and non-health-related purposes.

The provision of My Health Record data to insurance agencies will also not be permitted at this stage, while the use of My Health Record data for clinical trials recruitment will not be considered until an explicit consent option is available in the My Health Record access controls.

"There is a need to balance support for the use of the data for beneficial research and public health purposes against the policy of not using the data for solely commercial purposes," the framework reads. "Commercial organisations may propose uses that could be approved so long as it can be demonstrated that the use is consistent with 'research and public health purposes' and is likely to generate public health benefits and/or be in the public interest."

With health the highest breached sector in Australia since the country's Notifiable Data Breaches (NDB) scheme came into effect earlier this year, the framework has included a contractual requirement that the entity using the My Health Record data report any data breaches or data loss to the Office of the Australian Information Commissioner, including advice on remedial actions to be taken under the NDB scheme.

Where an applicant seeks access to data from another repository such as the Medicare Benefits Schedule or Pharmaceutical Benefits Schedule data, they will be referred to the data custodian for those systems.

The framework will be reviewed after two years of operation.

RELATED COVERAGE

The revelation that supposedly anonymous medical data can be re-identified tops off a year of data governance incompetence by the Australian government. But will there even be a response, let alone a fix?

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.